Techniques for securely provisioning a set of enclaves are described. A contract owner may register with a shared registry. A subset of enclaves may be selected to be provisioned from among a plurality of enclaves. A keyshare may be requested from one or more provisioning services for each of the subset of enclaves to be provisioned. The requested keyshares may be received from each provisioning service for each of the subset of enclaves to be provisioned. For each of the selected enclaves, the received keyshares may be sent for verification by the enclave. Each of the selected enclaves may send an authenticated and encrypted key derived from the received keyshares.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A device within a distributed system, comprising: a member device comprising a processor circuit and memory, the memory comprising instructions that when executed by the processor circuit cause the processor circuit to: receive, from a contract owner device within a distributed community, a plurality of encrypted keyshares and a plurality of public signing keys associated with an encrypted enclave; send, to the encrypted enclave, a contract identifier associated with the encrypted enclave and an encrypted enclave key, the encrypted enclave key based in part on the plurality of encrypted keyshares and the plurality of public signing keys; and access the encrypted enclave.
This invention relates to secure access control in distributed systems, particularly for encrypted enclaves within a distributed community. The problem addressed is ensuring secure and verifiable access to encrypted enclaves while maintaining privacy and integrity of cryptographic keys. The device operates within a distributed system where a member device interacts with a contract owner device and an encrypted enclave. The member device includes a processor and memory storing instructions to perform key management and enclave access. The device receives encrypted keyshares and public signing keys from the contract owner, which are used to derive an encrypted enclave key. This key is sent to the encrypted enclave along with a contract identifier to authenticate and authorize access. The encrypted enclave key is generated from the received keyshares and public signing keys, ensuring secure and verifiable access without exposing the underlying cryptographic material. The system leverages distributed key management to enhance security, where multiple encrypted keyshares and public signing keys are used to reconstruct the enclave key. This approach prevents unauthorized access while allowing legitimate members to interact with the encrypted enclave. The device's functionality ensures that access is granted only when the correct cryptographic conditions are met, maintaining the integrity and confidentiality of the enclave's operations.
2. The device of claim 1 , the instructions when executed by the processor circuit cause the processor circuit to: determine whether the encrypted enclave satisfies a policy of the distributed community; and send, to the encrypted enclave, the contract identifier and the enclave key based on a determination that the encrypted enclave satisfies the policy of the distributed community.
This invention relates to secure computing environments within distributed systems, specifically addressing the challenge of verifying and managing access to encrypted enclaves in a distributed community. An encrypted enclave is a protected execution environment that isolates sensitive operations from unauthorized access. The problem solved is ensuring that only enclaves meeting predefined community policies can receive critical information, such as contract identifiers and enclave keys, which are necessary for secure operations. The device includes a processor circuit configured to execute instructions that perform several functions. First, it determines whether an encrypted enclave complies with a policy established by the distributed community. This policy may include criteria such as security standards, authentication requirements, or operational constraints. If the enclave meets these criteria, the processor sends the enclave a contract identifier and an enclave key. The contract identifier uniquely identifies a secure agreement or transaction, while the enclave key enables secure communication or access within the enclave. This selective distribution ensures that only compliant enclaves can participate in secure operations, enhancing the overall security of the distributed system. The invention thus provides a mechanism for enforcing policy-based access control in distributed environments, particularly where encrypted enclaves are used for sensitive computations.
3. The device of claim 1 , the instructions when executed by the processor circuit cause the processor circuit to receive, from the contract owner device, a public key of the contract owner and the contract identifier associated with the encrypted enclave.
This invention relates to secure computing environments, specifically systems for managing encrypted enclaves in a distributed computing network. The problem addressed is ensuring secure access and control of encrypted enclaves, which are isolated execution environments used to protect sensitive data and computations from unauthorized access. The invention involves a device with a processor circuit and memory storing instructions. The instructions, when executed, enable the device to receive a public key and a contract identifier from a contract owner device. The public key is used to authenticate the contract owner, while the contract identifier links to an encrypted enclave. The encrypted enclave is a secure execution environment where data and computations are isolated from the rest of the system. The device also receives an encrypted enclave from a provider device, which is decrypted using the public key of the contract owner. This ensures that only authorized parties can access and manage the enclave. Additionally, the device can generate a new contract identifier for a new encrypted enclave, ensuring unique identification and tracking. The device may also receive a request to access the encrypted enclave from a requester device, verify the requester's identity, and grant or deny access based on the verification. This ensures that only authorized users can interact with the enclave, maintaining security and integrity. The system supports secure deployment, management, and access control of encrypted enclaves in distributed computing environments.
4. The device of claim 1 , the instructions when executed by the processor circuit cause the processor circuit to: decrypt the plurality of encrypted keyshares; derive an enclave key based in part on plurality of decrypted keyshares; and encrypt the enclave key based in part on the contract identifier associated with the encrypted enclave and an enclave seal key.
This invention relates to secure key management in computing systems, particularly for protecting enclave keys used in trusted execution environments. The problem addressed is ensuring secure storage and retrieval of enclave keys while maintaining confidentiality and integrity in distributed systems. The system includes a processor circuit and memory storing instructions for managing encrypted enclave keys. The instructions, when executed, perform several functions. First, they decrypt a plurality of encrypted keyshares, which are distributed fragments of a master key. These decrypted keyshares are then used to derive an enclave key, which is a cryptographic key specific to a secure enclave. The enclave key is subsequently encrypted using a contract identifier associated with the encrypted enclave and an enclave seal key. This ensures that the enclave key remains protected and can only be decrypted by authorized entities with access to the contract identifier and seal key. The system enhances security by distributing key material and requiring multiple components to reconstruct the enclave key, reducing the risk of unauthorized access. The use of contract identifiers further ensures that keys are bound to specific contracts, preventing misuse. This approach is particularly useful in cloud computing and distributed systems where secure enclaves are used to protect sensitive operations.
5. The device of claim 4 , the encrypted enclave, responsive to receiving the contract identifier associated with the encrypted enclave and the encrypted enclave key from the device, to: decrypt the encrypted enclave key; determine whether the enclave key is authentic; and allow access to the encrypted enclave from the device based on a determination that the enclave key is authentic.
This invention relates to secure access control for encrypted enclaves in computing systems. The problem addressed is ensuring secure and authenticated access to encrypted data enclaves, which are isolated execution environments used to protect sensitive data and operations from unauthorized access. The system includes a device and an encrypted enclave. The encrypted enclave is a protected execution environment that stores encrypted data and processes sensitive operations. The device interacts with the enclave by providing a contract identifier and an encrypted enclave key. The enclave receives these inputs, decrypts the enclave key, and verifies its authenticity. If the key is valid, the enclave grants the device access to its contents. This ensures that only authorized devices with the correct key can access the enclave, enhancing security. The enclave key is encrypted to prevent unauthorized parties from accessing it during transmission. The decryption and authentication process ensures that the key has not been tampered with. The access control mechanism is dynamic, allowing or denying access based on real-time verification of the key's authenticity. This approach mitigates risks such as unauthorized data breaches and unauthorized enclave access, which are critical in secure computing environments. The system is particularly useful in applications requiring high-security data processing, such as financial transactions, healthcare data management, and confidential communications.
6. The device of claim 5 , the plurality of encrypted keyshares based in part on keyshares of a plurality of provisioning services, the keyshares of the plurality of provisioning services randomly generated portions of the enclave key, each of which is signed by a private key of the provisioning service that generated the keyshare.
This invention relates to secure key management in computing systems, specifically for generating and distributing encrypted keyshares for an enclave key. The problem addressed is ensuring secure and verifiable distribution of cryptographic keys across multiple provisioning services while maintaining the integrity and confidentiality of the enclave key. The device includes a plurality of encrypted keyshares derived from keyshares provided by multiple provisioning services. Each provisioning service independently generates a random portion of the enclave key, forming a keyshare. These keyshares are then signed using the provisioning service's private key to ensure authenticity and integrity. The encrypted keyshares are based on these signed keyshares, allowing the enclave key to be reconstructed only when a sufficient number of valid keyshares are combined. The system ensures that no single provisioning service has access to the complete enclave key, enhancing security by distributing trust among multiple entities. The use of signed keyshares allows for verification of the origin and integrity of each keyshare, preventing tampering or unauthorized modifications. This approach is particularly useful in environments requiring high security, such as cloud computing, secure enclaves, or distributed systems where multiple parties must collaborate to manage cryptographic keys securely.
7. The device of claim 6 , the plurality of public signing keys associated with the private keys of the plurality of provisioning services.
A system for secure device provisioning involves a device configured to receive a provisioning request from a user, where the request includes a device identifier and a user identifier. The device generates a cryptographic key pair, including a private key and a public signing key, and securely stores the private key. The device then transmits the public signing key to a provisioning service, which verifies the key and associates it with the device identifier and user identifier. The provisioning service generates a provisioning token, signs it with its own private key, and transmits the signed token to the device. The device verifies the token using a public signing key associated with the provisioning service and, upon successful verification, completes the provisioning process. The system ensures secure key management and authentication by using cryptographic signatures to validate interactions between the device and provisioning services. Multiple provisioning services may be supported, each with their own key pairs, allowing flexible and scalable provisioning workflows. The system addresses security risks in device provisioning by ensuring that only authorized services can provision devices and that all communications are cryptographically verified.
8. At least one non-transitory computer-readable storage medium, comprising instructions for execution by processing circuitry of a device in a distributed system, the instructions to cause the processing circuitry to: receive, from a contract owner device within a distributed community, a plurality of encrypted key shares and a plurality of public signing keys associated with an encrypted enclave; send, to the encrypted enclave, a contract identifier associated with the encrypted enclave and an encrypted enclave key, the encrypted enclave key based in part on the plurality of encrypted keyshares and the plurality of public signing keys; and access the encrypted enclave.
This invention relates to secure access control in distributed systems, particularly for encrypted enclaves within a distributed community. The problem addressed is ensuring secure and verifiable access to encrypted enclaves while maintaining privacy and integrity of cryptographic keys. The solution involves a method for managing and accessing encrypted enclaves using distributed key shares and public signing keys. The system operates by receiving encrypted key shares and public signing keys from a contract owner device within the distributed community. These keys are used to derive an encrypted enclave key, which is then sent to the encrypted enclave along with a contract identifier. The encrypted enclave key is generated based on the combination of the encrypted key shares and public signing keys, ensuring that access is controlled and verifiable. The encrypted enclave can then be accessed securely, with the cryptographic operations performed within the enclave remaining confidential and tamper-resistant. This approach enhances security by distributing key management across multiple parties, reducing the risk of unauthorized access. The use of public signing keys allows for verification of the enclave's authenticity, while the encrypted key shares ensure that no single entity has complete control over the access mechanism. The system is designed for use in distributed systems where secure, decentralized access to encrypted resources is required.
9. The at least one non-transitory computer-readable storage medium of claim 8 , the instructions further cause the processing circuitry to: determine whether the encrypted enclave satisfies a policy of the distributed community; and send, to the encrypted enclave, the contract identifier and the enclave key based on a determination that the encrypted enclave satisfies the policy of the distributed community.
This invention relates to secure data processing in distributed systems, particularly for managing encrypted enclaves within a distributed community. The problem addressed is ensuring secure and policy-compliant interactions between enclaves and the broader distributed system, where enclaves are isolated execution environments that process sensitive data. The system involves a non-transitory computer-readable storage medium storing instructions that, when executed by processing circuitry, perform operations to manage encrypted enclaves. The instructions cause the processing circuitry to determine whether an encrypted enclave meets a predefined policy of the distributed community. If the enclave satisfies the policy, the system sends a contract identifier and an enclave key to the enclave. The contract identifier likely references a predefined agreement or protocol governing the enclave's operations, while the enclave key enables secure communication or access to encrypted resources. The policy evaluation ensures that only compliant enclaves receive critical information, enhancing security. The system may also involve generating or managing enclave keys, which are cryptographic keys used to secure data within the enclave. The overall approach aims to balance security and usability in distributed environments where enclaves must operate under strict governance rules. This method is particularly useful in blockchain, cloud computing, or federated learning systems where data privacy and integrity are paramount.
10. The at least one non-transitory computer-readable storage medium of claim 8 , the instructions further cause the processing circuitry to receive, from the contract owner device, a public key of the contract owner and the contract identifier associated with the encrypted enclave.
A system and method for secure contract management using encrypted enclaves involves a computing device that executes instructions to manage access to encrypted enclaves, which are isolated execution environments for contract data. The system receives a contract identifier associated with an encrypted enclave and a public key of the contract owner from a contract owner device. The encrypted enclave is a secure execution environment that processes contract data while preventing unauthorized access. The system verifies the contract owner's identity using the public key and ensures that only authorized parties can access or modify the contract data within the enclave. The contract identifier uniquely identifies the encrypted enclave, allowing the system to locate and manage the specific enclave associated with the contract. The system may also generate and distribute cryptographic keys to secure communication between the contract owner device and the encrypted enclave. This approach enhances security by isolating contract data within encrypted enclaves and using cryptographic verification to control access. The system ensures that contract data remains confidential and tamper-proof, addressing security concerns in contract management systems.
11. The at least one non-transitory computer-readable storage medium of claim 8 , the instructions further cause the processing circuitry to: decrypt the plurality of encrypted keyshares; derive an enclave key based in part on plurality of decrypted keyshares; and encrypt the enclave key based in part on the contract identifier associated with the encrypted enclave and an enclave seal key.
This invention relates to secure key management in computing environments, particularly for protecting enclave keys used in trusted execution environments. The problem addressed is ensuring secure storage and retrieval of enclave keys while maintaining their confidentiality and integrity, even when the system is compromised. The system involves a non-transitory computer-readable storage medium containing instructions that, when executed by processing circuitry, perform key management operations. The instructions handle a plurality of encrypted keyshares, which are decrypted to recover the original keyshares. These decrypted keyshares are then used to derive an enclave key, which is a cryptographic key used to secure operations within a trusted execution enclave. To further protect the enclave key, it is encrypted using a contract identifier associated with the encrypted enclave and an enclave seal key. The contract identifier ensures the key is bound to a specific enclave instance, while the enclave seal key provides additional security. This approach enhances security by distributing key material across multiple keyshares, requiring decryption and reassembly before use. The use of a contract identifier and enclave seal key ensures the derived enclave key is only usable in its intended context, preventing unauthorized access or misuse. The system is designed to operate in environments where hardware-based security mechanisms, such as trusted execution environments, are available.
12. The at least one non-transitory computer-readable storage medium of claim 11 , the encrypted enclave, responsive to receiving the contract identifier associated with the encrypted enclave and the encrypted enclave key from the device, to: decrypt the encrypted enclave key; determine whether the enclave key is authentic; and allow access to the encrypted enclave from the device based on a determination that the enclave key is authentic.
This invention relates to secure access control for encrypted enclaves in computing systems. The problem addressed is ensuring that only authorized devices can access encrypted enclaves, which are isolated execution environments for sensitive data or operations. The solution involves a method for verifying the authenticity of an enclave key before granting access to an encrypted enclave. The system includes a device and at least one non-transitory computer-readable storage medium storing an encrypted enclave and an encrypted enclave key. The device sends a contract identifier associated with the encrypted enclave and the encrypted enclave key to the storage medium. The encrypted enclave, upon receiving these inputs, decrypts the enclave key and checks its authenticity. If the key is verified as authentic, the encrypted enclave allows the device to access its contents. This process ensures that only devices with valid keys can interact with the enclave, enhancing security for sensitive operations or data stored within the enclave. The system may also include additional steps, such as generating the encrypted enclave and key, or transmitting them to the storage medium, to establish the secure environment. The overall approach provides a robust mechanism for controlling access to encrypted enclaves in computing systems.
13. The at least one non-transitory computer-readable storage medium of claim 12 , the plurality of encrypted keyshares based in part on keyshares of a plurality of provisioning services, the keyshares of the plurality of provisioning services randomly generated portions of the enclave key, each of which is signed by a private key of the provisioning service that generated the keyshare.
Data security and key management in computing environments. This invention addresses the challenge of securely managing and distributing encryption keys, particularly within isolated execution environments known as enclaves. The core of the invention resides in a computer-readable storage medium containing a plurality of encrypted keyshares. These keyshares are derived, in part, from keyshares associated with multiple provisioning services. Each provisioning service generates a portion of a central enclave key. Crucially, these generated portions are then signed by the private key of the specific provisioning service that created them, ensuring authenticity and integrity. This method enhances security by distributing fragments of the enclave key across different services, with each fragment being cryptographically verified by its origin.
14. The at least one non-transitory computer-readable storage medium of claim 13 , the plurality of public signing keys associated with the private keys of the plurality of provisioning services.
A system and method for secure key management in a distributed provisioning environment involves a non-transitory computer-readable storage medium storing executable instructions for managing cryptographic keys. The system includes a plurality of provisioning services, each with a private key and an associated public signing key. These keys are used to authenticate and authorize operations within the system. The storage medium further includes instructions for generating, storing, and managing these keys, ensuring secure communication and data integrity across the provisioning services. The system may also include a key management module that handles key generation, distribution, and revocation, ensuring that only authorized entities can access or modify the keys. The provisioning services use the public signing keys to verify the authenticity of requests and responses, preventing unauthorized access or tampering. The system is designed to operate in environments where multiple provisioning services need to securely interact, such as in cloud computing, distributed ledger technologies, or secure software distribution platforms. The solution addresses the challenge of securely managing cryptographic keys in decentralized systems, ensuring that keys are properly authenticated and protected from unauthorized access.
15. A computer-implemented method for accessing an encrypted enclave, comprising: receiving, from a contract owner device within a distributed community, a plurality of encrypted keyshares and a plurality of public signing keys associated with an encrypted enclave; sending, to the encrypted enclave, a contract identifier associated with the encrypted enclave and an encrypted enclave key, the encrypted enclave key based in part on the plurality of encrypted keyshares and the plurality of public signing keys; and accessing, from the computer, the encrypted enclave.
This invention relates to secure access control for encrypted enclaves in distributed systems. The problem addressed is ensuring secure and verifiable access to encrypted enclaves, which are isolated execution environments used to protect sensitive data and computations. The solution involves a method for accessing an encrypted enclave using a distributed key management approach. The method begins by receiving encrypted keyshares and public signing keys from a contract owner device within a distributed community. These keyshares are partial encryption keys that, when combined, form a complete key for accessing the enclave. The public signing keys are used to verify the authenticity of the keyshares. The system then sends a contract identifier and an encrypted enclave key to the enclave. The encrypted enclave key is derived from the received keyshares and public signing keys, ensuring that only authorized parties with the correct combination of keyshares can access the enclave. Finally, the system accesses the enclave using the decrypted key, enabling secure execution or data retrieval within the protected environment. This approach enhances security by distributing key management across multiple parties, reducing the risk of unauthorized access. The use of public signing keys ensures that only valid keyshares are used, preventing tampering or forgery. The method is particularly useful in decentralized systems where trust must be established without a central authority.
16. The computer-implemented method of claim 15 , comprising: determining whether the encrypted enclave satisfies a policy of the distributed community; and sending, to the encrypted enclave, the contract identifier and the enclave key based on a determination that the encrypted enclave satisfies the policy of the distributed community.
This invention relates to secure computing environments within distributed systems, specifically addressing the challenge of verifying and authorizing encrypted enclaves to participate in a distributed community. An encrypted enclave is a secure execution environment that isolates sensitive computations from unauthorized access. The problem solved is ensuring that only enclaves meeting predefined security policies can access shared resources, such as contract identifiers and cryptographic keys, within the distributed community. The method involves determining whether an encrypted enclave complies with the community's security policy. This policy may include criteria such as enclave authentication, integrity verification, or compliance with specific security standards. If the enclave meets the policy requirements, the system sends the enclave a contract identifier and an enclave key, enabling it to securely interact with the distributed community. The contract identifier uniquely identifies a shared resource or agreement, while the enclave key allows secure communication and access control. This approach ensures that only authorized and compliant enclaves can participate in the distributed system, enhancing security and trust. The method may also involve additional steps, such as validating the enclave's cryptographic proofs or verifying its operational parameters before granting access.
17. The computer-implemented method of claim 15 , comprising receiving, from the contract owner device, a public key of the contract owner and the contract identifier associated with the encrypted enclave.
This invention relates to secure contract management in a distributed computing environment, specifically addressing the challenge of verifying contract ownership and ensuring secure access to encrypted enclaves. The method involves a system that receives a public key from a contract owner device, along with a contract identifier linked to an encrypted enclave. The encrypted enclave is a secure execution environment where contract-related data is processed, and the public key is used to authenticate the contract owner. The system verifies the contract owner's identity by validating the public key against stored records, ensuring only authorized parties can access or modify the encrypted enclave. This process enhances security by preventing unauthorized access to sensitive contract data while maintaining the integrity of the enclave's operations. The method also includes steps to decrypt the enclave using the contract identifier, allowing the contract owner to interact with the enclosed data securely. The overall solution ensures that contract management remains tamper-proof and accessible only to verified owners, addressing risks associated with unauthorized access in decentralized systems.
18. The computer-implemented method of claim 15 , comprising: decrypt the plurality of encrypted keyshares; derive an enclave key based in part on plurality of decrypted keyshares; and encrypt the enclave key based in part on the contract identifier associated with the encrypted enclave and an enclave seal key.
This invention relates to secure key management in computing environments, particularly for protecting enclave keys used in trusted execution environments. The problem addressed is ensuring secure access and management of cryptographic keys within enclaves while maintaining confidentiality and integrity against unauthorized access. The method involves decrypting a plurality of encrypted keyshares, which are distributed fragments of a master key. These decrypted keyshares are then used to derive an enclave key, which is a cryptographic key specific to a secure enclave. The enclave key is subsequently encrypted using a combination of a contract identifier associated with the encrypted enclave and an enclave seal key. The contract identifier ensures that the enclave key can only be decrypted by authorized entities with access to the correct contract, while the enclave seal key provides an additional layer of security. This approach prevents unauthorized decryption of the enclave key even if an attacker gains access to the encrypted keyshares or the contract identifier alone. The method ensures that only entities with both the correct contract identifier and the enclave seal key can access the enclave key, enhancing security in distributed and multi-party computing environments.
19. The computer-implemented method of claim 18 , the encrypted enclave, responsive to receiving the contract identifier associated with the encrypted enclave and the encrypted enclave key from the computer, to: decrypt the encrypted enclave key; determine whether the enclave key is authentic; and allow access to the encrypted enclave from the computer based on a determination that the enclave key is authentic.
This invention relates to secure access control for encrypted enclaves in computing systems. The technology addresses the problem of ensuring that only authorized entities can access sensitive data stored within encrypted enclaves, which are isolated execution environments designed to protect data from unauthorized access. The method involves a computer system that interacts with an encrypted enclave. The computer system sends a contract identifier and an encrypted enclave key to the encrypted enclave. The enclave then decrypts the received enclave key and verifies its authenticity. If the key is determined to be authentic, the enclave grants the computer system access to its contents. This process ensures that only systems possessing a valid, authenticated key can interact with the enclave, enhancing security for sensitive operations. The encrypted enclave operates as a secure execution environment, isolating data and processes from external threats. The contract identifier serves as a reference to establish a trusted relationship between the computer and the enclave. The decryption and authentication steps validate the key before access is permitted, preventing unauthorized access even if the key is intercepted. This approach is particularly useful in scenarios requiring high-security data handling, such as financial transactions, confidential communications, or secure cloud computing.
20. The computer-implemented method of claim 19 , the plurality of encrypted keyshares based in part on keyshares of a plurality of provisioning services, the keyshares of the plurality of provisioning services randomly generated portions of the enclave key, each of which is signed by a private key of the provisioning service that generated the keyshare, and the plurality of public signing keys associated with the private keys of the plurality of provisioning services.
This invention relates to secure key management in computing environments, particularly for generating and distributing encrypted keyshares to protect an enclave key. The problem addressed is ensuring the integrity and security of cryptographic keys used in trusted execution environments (TEEs) or secure enclaves, where unauthorized access or tampering could compromise sensitive operations. The method involves generating an enclave key by combining keyshares from multiple provisioning services. Each provisioning service independently generates a random portion of the enclave key, creating a keyshare, and signs it with its private key. These signed keyshares are then encrypted and distributed as part of a plurality of encrypted keyshares. The system also maintains a set of public signing keys corresponding to the private keys of the provisioning services, allowing verification of the keyshares' authenticity. By distributing the enclave key across multiple provisioning services and requiring their signatures, the system enhances security through redundancy and cryptographic verification. This approach prevents single points of failure and ensures that only authorized entities can reconstruct the enclave key, mitigating risks of unauthorized access or tampering. The use of signed keyshares ensures that each portion of the key is verifiable, maintaining trust in the key generation and distribution process.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 28, 2019
February 1, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.